Date: Fri, 11 Feb 94 00:46:23 PST Reply-To: Return-Path: Message-ID: Mime-Version: 1.0 Content-Type: text/plain From: surfpunk@versant.com (frphevgl pyrnenapr erdhverq) To: surfpunk@versant.com (SURFPUNK Technical Journal) Subject: [surfpunk-0104] CLIPPER: some reactions Prof. Denning has issued a defense of the Clipper proposal (which she advocated in a CACM article long before the initiative was announced). Her specifics are easy enough to refute and I'm sure others will do so. However, she closes with an idea so radical that it shocked me. Her idea that we citizens need a security clearance in order to enter the debate over whether or not we should give up a right we've had for all time (to make, use, disseminate, ..., our own strong cryptography, interfering with the government's ability to spy on us) is so radically off base that the technical debate pales by comparison. - Carl Ellison I believe everything in this issue came over the Cypherpunks list, except for the trailer, which was on bugtraq@crimelab.com ..... strick ________________________________________________________________________ ________________________________________________________________________ From: gnu@toad.com (John Gilmore) To: cypherpunks@toad.com Date: Mon, 07 Feb 94 13:14:48 -0800 ------- Forwarded Message To: gnu@toad.com From: whitfield.diffie@Eng.Sun.COM Date: Mon, 7 Feb 1994 at 13h01 Subject: Preliminary remarks A preliminary reading of the public announcements made on Friday, 4 February 1994, about the results of the Interagency Review of Crypto Policy, suggests that there is less than meets the eye, but there are some interesting points. Whitfield Diffie > The two escrow agents are the National Institute of Standards and > Technology (NIST), a part of the Department of Commerce, and the > Automated Systems Division of the Department of the Treasury. The > two escrow agents were chosen because of their abilities to > safeguard sensitive information, while at the same time being able > to respond in a timely fashion when wiretaps encounter encrypted > communications. In addition, NIST is responsible for establishing > standards for protection of sensitive, unclassified information in > Federal computer systems. Why NIST should excel among federal agencies or even Department of Commerce agencies in the ability ``to safeguard sensitive information, while at the same time being able to respond in a timely fashion when wiretaps encounter encrypted communications'' is hardly obvious. I would have thought the patent office, which has responsibility for for the confidentiality of patent applications and has never, in my memory, been accused of leaking would have been more plausible. The final sentence sounds more like a conflict of interest than a recommendation. Perhaps there is more in this selection than meets the eye. > * License Reform: Under new licensing arrangements, encryption > manufacturers will be able to ship their products from the United > States directly to customers within approved regions without > obtaining individual licenses for each end user. > * Rapid review of export license applications: . . . > goal of two working days. > * Personal use exemption: We will no longer require that U.S. > citizens obtain an export license prior to taking encryption > products out of the U.S. temporarily for their own personal use. Pending the fine print, I suspect these will please lots of people. > * Allow exports of key-escrow encryption: After initial review, > key-escrow encryption products may now be exported to most end > users. Additionally, key-escrow products will qualify for special > licensing arrangements. This is, to me, the most interesting point. Allowing exports, undercuts my assumption that the export significance of the trap-door was merely to make the system unpalatable to foreigners and thereby support a no-export policy. It brings into high relief the question of how escrowed keys will be handled in respect to foreign intelligence. The possibilities would seem to be: o NSA is allowing the export of key escrow devices despite the fact that it will not have access to escrowed keys for reading their traffic and will not be able to read the traffic. o There are procedures we haven't been told about for allowing NSA to get keys for reading the communications of exported devices. This will undoubtedly inspire concern that that route will be used to obtain keys for illegal taps on Americans. A plausible procedure would be to allow export without individual export licenses, but to require reporting of all exported devices and to transfer the keys to those devices to NSA. This would raise the question of whether NSA should have access to the keys for devices exported under the personal use exemption. o Despite all the assurances, there is another trap door in the algorithm that will be used in reading foreign traffic. A publicly explainable mechanism is needed if the intercepts are to be used in court, but not if they are to be `Handled Via COMINT Channels Only.' > - Approval by the Commerce Secretary of the Escrowed Encryption > Standard (EES) as a voluntary Federal Information Processing > Standard, which will enable government agencies to purchase the > Key Escrow chip for use with telephones and modems. The > department's National Institute of Standards and Technology > (NIST) will publish the standard. This is a surprise to me. I thought that after a `no vote' of 300 to 2 the first time around, they would a least go through the ritual of another round of comments. > The Administration has created a new interagency working group on > data security to deal with issues like encryption and digital > telephony. . . . > In addition, the working group will coordinate Administration > policies regarding digital telephony. As more and more telephone > companies install high-speed, digital communications links, it > becomes more and more difficult for law enforcement agencies to > conduct wiretaps. The working group will work with industry to > ensure that new digital telecommunications systems are designed in > a way that ensures that do not prevent court authorized wiretaps. This suggests that they have stopped trying to stiff the telephone companies for the cost of building in the spying and may come around with some `incentives.' No doubt this will get them a much warmer reception. > These procedures do not create, and are not intended to create, > any substantive rights for individuals intercepted through > electronic surveillance, and noncompliance with these procedures > shall not provide the basis for any motion to suppress or other > objection to the introduction of electronic surveillance evidence > lawfully acquired. This hardly seems likely to allay the suspicions of anyone who was skeptical about the abuse potential of key escrow. ------- End of Forwarded Message ________________________________________________________________________ From: Mike Godwin Message-Id: <199402072159.QAA06512@eff.org> Subject: EFF Wants You (to add your voice to the crypto fight) To: mech@eff.org, mnemonic (Mike Godwin) Date: Mon, 7 Feb 1994 16:59:32 -0500 (EST) * DISTRIBUTE WIDELY * Monday, February 7th, 1994 From: Jerry Berman, Executive Director of EFF jberman@eff.org Dear Friends on the Electronic Frontier, I'm writing a personal letter to you because the time has now come for action. On Friday, February 4, 1994, the Administration announced that it plans to proceed on every front to make the Clipper Chip encryption scheme a national standard, and to discourage the development and sale of alternative powerful encryption technologies. If the government succeeds in this effort, the resulting blow to individual freedom and privacy could be immeasurable. As you know, over the last three years, we at EFF have worked to ensure freedom and privacy on the Net. Now I'm writing to let you know about something *you* can do to support freedom and privacy. *Please take a moment to send e-mail to U.S. Rep. Maria Cantwell (cantwell@eff.org) to show your support of H.R. 3627, her bill to liberalize export controls on encryption software.* I believe this bill is critical to empowering ordinary citizens to use strong encryption, as well as to ensuring that the U.S. software industry remains competitive in world markets. Here are some facts about the bill: Rep. Cantwell introduced H.R. 3627 in the House of Representatives on November 22, 1993. H.R. 3627 would amend the Export Control Act to move authority over the export of nonmilitary software with encryption capabilities from the Secretary of State (where the intelligence community traditionally has stalled such exports) to the Secretary of Commerce. The bill would also invalidate the current license requirements for nonmilitary software containing encryption capablities, unless there is substantial evidence that the software will be diverted, modified or re-exported to a military or terroristic end-use. If this bill is passed, it will greatly increase the availability of secure software for ordinary citizens. Currently, software developers do not include strong encryption capabilities in their products, because the State Department refuses to license for export any encryption technology that the NSA can't decipher. Developing two products, one with less secure exportable encryption, would lead to costly duplication of effort, so even software developed for sale in this country doesn't offer maximum security. There is also a legitimate concern that software companies will simply set up branches outside of this country to avoid the export restrictions, costing American jobs. The lack of widespread commercial encryption products means that it will be very easy for the federal government to set its own standard--the Clipper Chip standard. As you may know, the government's Clipper Chip initiative is designed to set an encryption standard where the government holds the keys to our private conversations. Together with the Digital Telephony bill, which is aimed at making our telephone and computer networks "wiretap-friendly," the Clipper Chip marks a dramatic new effort on the part of the government to prevent us from being able to engage in truly private conversations. We've been fighting Clipper Chip and Digital Telephony in the policy arena and will continue to do so. But there's another way to fight those initiatives, and that's to make sure that powerful alternative encryption technologies are in the hands of any citizen who wants to use them. The government hopes that, by pushing the Clipper Chip in every way short of explicitly banning alternative technologies, it can limit your choices for secure communications. Here's what you can do: I urge you to write to Rep. Cantwell today at cantwell@eff.org. In the Subject header of your message, type "I support HR 3627." In the body of your message, express your reasons for supporting the bill. EFF will deliver printouts of all letters to Rep. Cantwell. With a strong showing of support from the Net community, Rep. Cantwell can tell her colleagues on Capitol Hill that encryption is not only an industry concern, but also a grassroots issue. *Again: remember to put "I support HR 3627" in your Subject header.* This is the first step in a larger campaign to counter the efforts of those who would restrict our ability to speak freely and with privacy. Please stay tuned--we'll continue to inform you of things you can do to promote the removal of restrictions on encryption. In the meantime, you can make your voice heard--it's as easy as e-mail. Write to cantwell@eff.org today. Sincerely, Jerry Berman Executive Director, EFF jberman@eff.org P.S. If you want additional information about the Cantwell bill, send e-mail to cantwell-info@eff.org. To join EFF, write membership@eff.org. The text of the Cantwell bill can be found with the any of the following URLs (Universal Resource Locaters): ftp://ftp.eff.org/pub/Policy/Legislation/cantwell.bill http://www.eff.org/ftp/EFF/Policy/Legislation/cantwell.bill gopher://gopher.eff.org/00/EFF/legislation/cantwell.bill ________________________________________________________________________ From: Mike Godwin Message-Id: <199402072010.PAA04906@eff.org> Subject: Newspaper coverage of Administration encryption announcements To: eff-staff, eff-board Date: Mon, 7 Feb 1994 15:10:49 -0500 (EST) The Washington Post, the New York Times, and the Wall Street Journal have all published stories over the last three days concerning the Administration's announcement on Friday, Feb. 5, 1994, that it will continue to deploy the controversial "Clipper Chip" encryption technology and will not significantly change its export controls. >From the Post on Saturday: "That means the administration will continue long-standing restrictions on exports of powerful encryption devices that the NSA cannot crack, and continue to encourage use of NSA-developed encryption gear, called the "Clipper chip," by all U.S. firms. The Clipper Chip makes it relatively easy for the government to eavesdrop on encrypted communications.... "Further, government officials said, the administration is expected in a few weeks to endorse an FBI proposal that U.S. telecommunications firms be required to guarantee law enforcement agencies' ability to tape phone and computer lines regardless of where the technology goes. "At the core of these high-tech disputes lies a fundamental conflict between Americans' cherished privacy rights and the government's investigative needs." >From the Times on Saturday: "But the Administration's action immediately drew a chorus of criticism from both business and privacy-rights groups. Computer and software companies, including Apple Computer, I.B.M. and Microsoft, have adamantly opposed the Clipper Chip because they believe customers will not trust an encryption program that was built by the government and whose inner workings remain a secret. "Perhaps more importantly, they fear that it will harm their ability to export products; they predict that foreign customers will resist buying computers and telecommunications equipment built with decoding technology devised by the National Security Agency. "Privacy-rights groups argue that the technology could lead to unauthorized eavesdropping, because the keys for unscrambling the code will remain in official hands. "'This is bad for privacy, bad for security and bad for exports,' said Jerry Berman, executive director of the Electronic Frontier Foundation, a Washington nonprofit group that lobbies on privacy issues related to electronic networks. 'The Administration is preparing to implement systems that the public will not trust, that foreign countries will not buy, and that terrorists will overcome.'" >From the Wall Street Journal on Monday: "The issue has become a controversial one between law enforcement officials and the computer industry and civil libertarians. In unfolding details of the administration's decision, Mike Nelson, an official at the Office of Science and Technology Policy, said the issue was so difficult it represented 'the Bosnia of telecommunications policy.' "Jerry Berman, executive director of the Electronic Frontier Foundation, a Washington-based computer users' civil-rights group, said the administration's handling of the Clipper Chip policy could make it 'as successful' as the Bosnia policy, which has come under widespread criticism." William Safire has also written about this in today's NYTimes. [It was worth looking up --strick ] ________________________________________________________________________ ________________________________________________________________________ The SURFPUNK Technical Journal is a dangerous multinational hacker zine originating near BARRNET in the fashionable western arm of the northern California matrix. Quantum Californians appear in one of two states, spin surf or spin punk. Undetected, we are both, or might be neither. ________________________________________________________________________ Send postings to , subscription requests to . WWW Archive at ``http://www.acns.nwu.edu/surfpunk/''. [stale; moving soon] ________________________________________________________________________ ________________________________________________________________________ From: erikb@tic.com (Chris Goggans) Subject: Insecurity? What else is new? Date: Thu, 10 Feb 94 00:02:42 -0600 To: firewalls@GreatCircle.COM As many have read lately, the Internet is once again the center of attention for people up in arms about "SECURITY PROBLEMS!!" This is a load of hooey. What is happening now, is no different than what has been going on for years. The only difference now is that more reporters are (or at least consider themselves) net aware. Here's the story... The biggest perpetrators of the recent break ins (recent meaning the last year or so) have been a group of miscreants who are oftimes referred to as "The Posse." They, and their friends, are located in Pennsylvania, New York/New Jersey, Ohio, Arizona, and Florida. One of the PA residents, and the FL person, involved in the breakins has parted ways with the two main people involved due to in-fighting among their little group. The New York/New Jersey parties are not as actively involved in the hacking, but perfom needed social engineering and phone related tricks for the group in exchange for other favors. The main antagonists are both in their late teens...a PA data entry clerk, and an OH hotel desk clerk. Their main method of attack involves getting root on a site then monitoring incoming and outgoing traffic using ethernet sniffers (on suns since they are too pathetic to port their swiped esniff.c program to run on ultrix or other variants) and capturing all tcp activity. They then use this information to get in other hosts and start over. They have programs that allow them to get ypmaps from remote (ypsnarf.c); to nfs mount damn near anything; to get root using sendmail, rdist, the mult bug, and others. They have patches to allow them the ability to place backdoors in login and in.telnetd, and to run other shells to let them jump over firewalls. They have utilities to remove themselves from wtmp, utmp, pacct, ps, and netstat. Unless you have a tcp-wrapper going, you probably wont notice them. I would estimate that about 25% of the American Internet is compromised. This is predominantly university traffic but since these are the people behind breakins at The Well, CNS, Panix, NSFNet, BarrNet, Sun, and others, its pretty safe to assume that they have a lot of fun addresses to play with. Although they have amassed a HUGE amount of hosts through their sniffing, it is unclear as to what they want with the hosts. The predominant motive appears to be the ability to get on IRC anonymously and send ICMP floods to servers and annoy people. They also play games impersonating people on netnews and mail, they fake hacking attempts in order to try to frame people, they play phone games and prank people over and over or otherwise disconnect or disrupt service, they get credit information or billing records to spread around, etc. (As I said before, its pretty pathetic) The real crime here is that the authorities know precisely who is involved, and it persists. One individual was even involved with the MOD busts a few years back and is no longer a minor. Perhaps this time his father won't be able to intervene. They really dont seem to care what happens to them, and they know full well that the authorities have been questioning people about them, yet they persist. Obviously the illusion of power on the net is far more desirable than their petty real lives. my .02 - ->ME